Cloudflare Makes DNSSEC Activation Easy

A boost is expected in the near future in the adoption of the DNSSEC technology that establishes trust in the Domain Name System (DNS) - the mechanism responsible for translating website names into machine-intelligible data.

Cloudflare announces today that its customers now have a simple way to increase DNS security, without any configuration at the registrar.

Domain Name System in short

Because humans are not as good at working with numbers as computers, a model called Domain Name System (DNS) takes care of the translation of a website name into the corresponding IP address when we want to access a website.

This system worked like a charm until it was discovered that it was vulnerable and adversaries could manipulate it to point users to malicious content.

Enter DNSSEC (Domain Name System Security Extensions) a model that builds a chain of trust between the DNS servers responsible for directing client queries to the appropriate destination. It provides authenticity and integrity in the answers received from authoritative nameservers.

Slow DNSSEC adoption

DNSSEC is the solution for a safer internet, but its adoption is dragging, despite its deployment on the first root name server - the first place a client query reaches when looking for a domain, being announced for December 1, 2009.

According to information from Asia-Pacific Network Information Centre (APNIC), worldwide DNSSEC validation is currently at 15.8%.

"The blame here falls on the shoulders of the default DNS providers that most devices and users receive from DHCP via their ISP or network provider," says Cloudflare.

While in some countries DNSSEC adoption is over 80%, the world map is still mainly in the red from regions where validation resolvers are under 10%, which is the case with many European countries. In the US, current adoption is above 23%.

Cloudflare makes it simple

Another problem identified by Cloudflare in the adoption of DNSSEC at the level of individual domains, because some large DNS operators either do not provide the option or charge for it.

Furthermore, statistics from APNIC show that many domain owners attempt to activate DNSSEC but do not finish the process, suggesting a difficult procedure.

To address the issue, Cloudflare makes it easy for the domain owners in its network to activate DNSSEC, by offering a minimalistic interface for adding Delegation Signer (DS) records for the child domains.

The company says that customers on supported registries will have the possibility to enable DNSSEC in one click, from the Cloudflare dashboard.

The company also announces full support for CDS/CDNSKEY (Child DS/Child DNSKEY) records for the domains that enable DNSSEC from Cloudflare Dash.

The purpose of these records is to signal changes in secure entry points, thus validating the delegations when the DNS operator does not have an alternative to inform the parent of that changes are required.

"Cloudflare will publish CDS and CDNSKEY records for all domains who enable DNSSEC. Parent registries should scan the nameservers of the domains under their purview and check for these rrsets. The presence of a CDS key for a domain delegated to Cloudflare indicates that a verified Cloudflare user has enabled DNSSEC within their dash and that the parent operator (a registrar or the registry itself) should take the CDS record content and create the requisite DS record to start signing the domain," the company explains.

With this move, Cloudflare hopes that more DNS providers will follow in its footsteps to make users less vlnerable to DNS attacks. Its customers can activate DNSSEC for free and enter the DS to the parent, the company says.

Ionut Ilascu is freelancing as a technology writer with a focus on all things cybersecurity. The topics he writes about include malware, vulnerabilities, exploits and security defenses, as well as research and innovation in information security. His work has been published by Bitdefender, Netgear, The Security Ledger and Softpedia.